Thursday, November 01, 2007

Bonnie & Clyde and Cybercrime

I spoke at a conference in Italy last week; after I spoke I got a question from a member of the audience. His question, which went to how and why we in the U.S. federalize certain crimes, made me think about a part of our history in a way I had not done before.

His question basically went to why we make it a federal crime for someone to hack the computer system of a private company. He was coming from the very logical premise that hacking the system of a private company is an attack on private property, so he wondered why that should become a federal crime.

In answering him, I recapped the history of the increasing federalization of crime in the U.S., something I’m going to repeat here. After I do that, I want to offer a few thoughts on what that history may, or may not, suggest about how we can go about dealing with cybercrime.

Until early in the twentieth century, crime in the U.S. was proscribed and prosecuted almost exclusively at the state level. There were some federal crimes, such as counterfeiting and treason, but they tended to be the exception. The drafters of the U.S. Constitution intended that crime would be handled primarily at the local level; a few years ago, an American Bar Association study found that this was their intention, the theory being that it makes more sense for crime to be punished as close as possible to the local community.

This theory derives both from history (that’s the way it had always been done) and from the assumption that handling crime at the local level was the best way to deter crime and encourage people to follow the law. The notion is, essentially, that the closer we are to the process of prosecuting and punishing criminal behavior, the more likely we are to take the process seriously and see it as something that could affect us.

That was the way things worked until about the second decade of the twentieth century, when automobiles began to become more common in the U.S. As they became more common, motor vehicles began to influence how certain crimes were being committed.

One crime, arguably a “new” crime at the time, was automobile theft: Someone could steal a car in, say, Ohio and drive it into Indiana or Illinois or Texas . . . which would pretty much defeat the Ohio police’s efforts to find the car and prosecute the thief. In other words, car thieves pretty quickly figured out that they could exploit state borders to their advantage; they figured out that each state only had jurisdiction to investigate crime within its borders. There really was no effective way for, say, Ohio officers to pursue a car thief into Indiana and then Illinois and however many other states he took the car into.

This concept of using the mobility of motor vehicles to elude apprehension and prosecution then migrated into other areas, such as kidnapping and bank robbery. As those of us who’ve seen the movie “Bonnie & Clyde” know, the 1930’s say the rise of bank robbing gangs who used high-speed automobiles to rob a bank in one state and then flee to another, thereby avoiding the police. Indeed, according to one book I read, Clyde went so far as to send Henry Ford a letter, thanking Ford for making such fast cars; Clyde assured Ford that he always preferred using Fords in his car thefts, both because they were so fast and because they were so common it was easy to hide out in them.

The question the Italian gentleman asked me last week made me think about all of this a little more deeply. In answering him, I realized something I had already known, but hadn’t really thought about: What American bank robbers and kidnappers and car thieves were doing 70 and 80 years ago is functionally indistinguishable from what cybercriminals are doing today. Both use(d) then-current technology to exploit the fact that states (whether discrete states in a federal system like ours, or nation-states in our global system) have jurisdiction only within their own borders.

In the law, there are two fundamental principles governing a sovereign state’s exercise of jurisdiction in criminal cases: One is that a sovereign state has jurisdiction to adopt law criminalizing conduct occurring within its territory and to sanction those who violate that law. The other principle is that one state (Ohio or France) cannot enforce its laws inside the territory of another state (Indiana or Italy). So, criminals – who generally tend to be among the first adopters of new technologies -- can use those principles against sovereign states by committing a crime in one state and then fleeing to another state or, for cybercrime, by remotely committing a crime in another state.

Okay, none of this is new. What I realized last week goes not to the fact that all of this has happened and is happening. It goes, instead, to the strategy the U.S. used to deal with the motor vehicle as criminal tool issue. It occurred to me that the strategy might, or might not, be an instructive example for how we could deal with cybercrime.

The way the U.S. dealt with the motor vehicle as criminal tool issue was to enact federal laws that made it a crime to, for example, steal a motor vehicle in one state and take it across state lines for the purpose of evading apprehension and to kidnap someone in one state and take them across state lines for the same purpose. In other words, the U.S.’ approach was to move to a supra-state system of laws, a national set of laws. This meant that the criminals could no longer find a safe haven: Federal authorities could chase them from Ohio to Indiana to Illinois and all the way to Texas, if necessary.

I thought of this last week both because it was relevant in answering the gentleman’s question and because it perhaps suggests something about how we need to approach cybercrime.

Like the 1930’s bank robbers, cybercriminals are using new technology to exploit the jurisdictional limitations of specific sovereigns to their advantage. Everyone recognizes that. The question is, what do we do about this?

The Council of Europe’s Convention on Cybercrime attempts to deal with the problem by encouraging countries to adopt standardized, consistent laws that (i) criminalize certain activities (such as hacking, child pornography, etc.) and (ii) facilitate law enforcement cooperation with officers from other countries. The goal, in effect, is to achieve a voluntary, lateral solution to the problem. The notion is that if the various nation-states all have a core of consistent laws criminalizing behaviors and specifying what police can do in collecting and sharing information about cybercrimes, then this will make it much more difficult for cybercriminals to exploit the parochial jurisdictional capacities of the various nation-states.

I like that solution because it is voluntary, and because it is lateral. As we all know, cyberspace favors the lateral, rather than the hierarchical, organization of human behavior. So this seems a flexible, adaptive solution. My only concerns with it are that (i) it may take a very long time to achieve this consensus and (ii) it may prove difficult to achieve consensus in certain areas, because national laws are bound up with local culture. We in the U.S. are already outliers because of our First Amendment; it means that we can, indeed must, host content that is criminalized elsewhere, a circumstance that will not change unless and until we eliminate that aspect of the First Amendment (which is highly unlikely).

What about the alternative? . . . What about a solution analogous to what the U.S. did with motor vehicle-facilitated crime about 80 years ago? Could we somehow adopt a set of supranational laws targeting cybercrime and use that to defeat cybercriminals’ ability to evade and frustrate the application of national laws?

As a federal system, the U.S. was in a perfect position to move to the next level – to shift to a higher-tier, system-wide set of laws targeting motor vehicle-facilitated crime. We do not have a global federal system or any thing comparable. We therefore do not have a structure which could be used to implement a similar approach, however logical it might be.

This brings me back to the comments I made in my last post, “A law of cyberspace.” On the one hand, a global, over-arching network of cybercrime laws, with an accompanying, equally-global enforcement system, would clearly be the optimum way to address the exploitation of jurisdictional limits by cybercriminals.

The first problem with that strategy is that we do not have an institution capable of achieving this; the United Nations is the only possible candidate for the task but this really does not come within its charter. The other problem is, as I noted in my last post, that nation-states tend to be possessive of their territory and jealously protective of their own, idiosyncratic laws. I think it will be a long, long time before a global solution to the cybercrime jurisdictional law problems will be a possibility, assuming, of course, that such a solution is desirable.